With data breaches and their consequences in the news on a seemingly weekly basis these days the whole subject of data protection has been given a much higher priority by UK businesses.
Regardless of the outcome of the referendum about whether to remain in the EU, by 2018 new data protection regulations will come into force for the UK, and for all companies worldwide that process the data of EU citizens. What else do you need to know about the long awaited The General Data Protection Regulation (GDPR)?
Here are some key points to remember…
More Things Count As Personal Data
GDPR will cover a much wider area in terms of what counts as personal data.
Under these new regulations, any data that could identify an individual such as genetic, mental, cultural, economic or social information will count as personal data.
Obtaining Valid Consent For Information Use Could Be A Challenge
Under the new regulations your organisation MUST be able to PROVE clear and affirmative consent to process personal data. This means that your organisation must remember to explain clearly, and exactly what personal data they are collecting and how it will be processed and used. Your organisation will therefore need to make sure that this step is built into every occurrence of personal data collection without fail and that the proof is stored and can be accessed quickly if necessary.
Many Organisations Must Appoint a Data Protection Officer (DPO)
If you are a public authority processing personal information or if your main activity involves the regular and systematic monitoring of data subjects on a large scale, or if your main work involves the processing on a large scale of special categories of data you will need to appoint a DPO.
This person will of course need to be very familiar with all aspects compliance with existing UK and the new EU regulations. This could therefore have an impact on staffing and resources (for training).
Privacy Impact Assessments (PIAs) Are Mandatory
Under the GDPR Data Controllers must conduct PIAs where privacy breach risks are high so that the risks to data subjects are minimised. This means that to minimise risks to data, subjects PIAs will be needed.
There Will Be a Common Data Breach Notification Requirement of 72 hours
Your organisation will need to have the capability and systems in place to enable it to monitor for, identify and notify the ICO of a data breach within 72 hours of discovering it.
All Data Subjects Will Have ‘The Right To Be Forgotten”
Your organisation must not hold data about a person for longer than is necessary, must not change the use of the data from the purpose for which it was originally collected (when consent was given for that specific purpose), and must delete any data about a subject at the request of that data subject. This gives subjects the right to opt out completely i.e. ‘the right to be forgotten’.
Liability Goes Beyond Data Controllers
Under GDPR it won’t just be the DC who is held liable for data processing issues.
Liability and responsibility will extend to all organisations that touch personal data.
Privacy Must Be Designed and Built-In To The System
Your software, your systems and processes must be designed around compliance with the principles of data protection every step of the way.
The Regulations Apply Wherever You Are In The World
Under GDPR, any European data protection authority is able to take action against organisations regardless of which country they are based in.
What Does This Mean For Your Business?
GDPR will mean that companies like yours will need to take a fresh look at how they deal with personal data.
Hardly any data will not fall under GDPR which means you will need to take GDPR seriously and become very familiar with it and its implications. GDPR will mean for example that:
- Your company will need to be clear about getting consent to use a person’s data for just the specified purpose and not regard silence or inactivity as consent.
- You may need to prepare to select a DPO for appointment, and your company may require a lot of training so that everyone understands basic compliance. This could mean that the kind of human error that could cause a data breach is minimised.
- Your data security policies may need to be changed and the changes promoted across the company. You will also have to develop highly effective systems for monitoring for any data breaches. There will also be the need to design compliance into all data handling and processing systems, and could mean starting the analysis and thought process now to ensure that you are ready for 2018.
- You will have to develop effective systems that ensure fresh consent is gained before you alter the way you use data, and that all data on a subject can be easily and quickly deleted on request.
- If your company provides data processing services for anyone else’s personal data you will need to consider your liability and be compliant with the new EU regulations.
- Only having to deal with one supervisory authority rather than a different one for each EU state should simplify things for businesses like yours, although EU citizens will still be able to register any complaints to the data protection authority of their choice.